© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Slides:



Advertisements
Similar presentations
IT Controls Part I: Sarbanes-Oxley & IT Governance
Advertisements

Hall, Accounting Information Systems, 7e ©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly.
Information Technology Control Day IV Afternoon Sessions.
Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.
Auditing Computer Systems
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
9 - 1 Computer-Based Information Systems Control.
Chapter 2: Computer Operations
Auditing IT Governance Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.
Database Administration
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Processing Integrity and Availability Controls
Chapter 9 Database Design
Computer Security: Principles and Practice
Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
INTERNAL CONTROLS. Session Objectives Understand why an organization should have internal controls Understand the key components of internal controls.
IT Controls Part I: Sarbanes-Oxley & IT Governance 1 Accounting Information Systems, 5 th edition James A. Hall.
1 Disaster Recovery Planning & Cross-Border Backup of Data among AMEDA Members Vipin Mahabirsingh Managing Director, CDS Mauritius For Workgroup on Cross-Border.
Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.
John Graham – STRATEGIC Information Group Steve Lamb - QAD Disaster Recovery Planning MMUG Spring 2013 March 19, 2013 Cleveland, OH 03/19/2013MMUG Cleveland.
Lead Black Slide. © 2001 Business & Information Systems 2/e2 Chapter 14 Managing Information Systems and Technology.
Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
Information Systems Auditing and Assurance
Chapter 1 Database Systems. Good decisions require good information derived from raw facts Data is managed most efficiently when stored in a database.
Systems Analysis and Design: The Big Picture
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.
11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Introduction to Internal Control Systems
David N. Wozei Systems Administrator, IT Auditor.
Concepts of Database Management Eighth Edition
Internal Control in a Financial Statement Audit
Audit Objectives and Procedures in a Computer Operations Context January 27, 2005.
STRUCTURING THE IT FUNCTION  Centralized data processing (as opposed to DDP)  Database administrator  Data processing manager/dept.  Data control.
Principles of Information Systems, Sixth Edition Systems Design, Implementation, Maintenance, and Review Chapter 13.
Information Systems Security Operational Control for Information Security.
Big Data Bijan Barikbin Denisa Teme Matthew Joseph.
Principles of Information Systems, Sixth Edition Systems Design, Implementation, Maintenance, and Review Chapter 13.
E.Soundararajan R.Baskaran & M.Sai Baba Indira Gandhi Centre for Atomic Research, Kalpakkam.
CPS ® and CAP ® Examination Review OFFICE SYTEMS AND TECHNOLOGY, Fifth Edition By Schroeder and Graf ©2005 Pearson Education, Inc. Pearson Prentice Hall.
National Archives and Records Administration, Preparing for the Unexpected ESSENTIAL ELEMENTS: ANALYSIS.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 6-1 Chapter Six Internal Control in a Financial Statement Audit.
Database Administration
Hall, Accounting Information Systems, 8e ©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly.
Principles of Information Systems, Sixth Edition 1 Systems Design, Implementation, Maintenance, and Review Chapter 13.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
Hall, Accounting Information Systems, 8e ©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly.
Week 7 Lecture Part 2 Introduction to Database Administration Samuel S. ConnSamuel S. Conn, Asst Professor.
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Information Security Crisis Management Daryl Goodwin.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
Chapter 15A IT Controls Part I: Sarbanes-Oxley & IT Governance.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Database Principles: Fundamentals of Design, Implementation, and Management Chapter 1 The Database Approach.
Risk Management Dr. Clive Vlieland-Boddy. Managements Responsibilities Strategy – Hopefully sustainable! Control – Hopefully maximising profits! Risk.
Review of IT General Controls
Principles of Information Systems Eighth Edition
Controlling Computer-Based Information Systems, Part I
Processing Integrity and Availability Controls
Chapter 2: Computer Operations
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. IT Auditing, Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  IT Governance: subset of corporate governance that focuses on the management and assessment of strategic IT resources  Key objects: ◦ Reduce risk ◦ Ensure investments in IT resources add value to the corporation  All employees and stakeholders must be active participants in key IT decisions 1Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Three IT governance issues addressed by SOX and the COSO internal control framework: ◦ Organizational structure of the IT function ◦ Computer center operations ◦ Disaster recovery planning  Nature of risk associated with each issue  Controls used to mitigate risk  Audit objectives  Tests of controls 2Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Centralized data processing [see Figure 2-1]  Organizational chart [see Figure 2-2]  Database administrator  Data processing manager/dept.  Data control  Data preparation/conversion  Computer operations  Data library 3 Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Segregation of incompatible IT functions  Systems development & maintenance  Participants  End users  IS professionals  Auditors  Other stakeholders 4 Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Segregation of incompatible IT functions  Objectives:  Segregate transaction authorization from transaction processing  Segregate record keeping from asset custody  Divide transaction processing steps among individuals to force collusion to perpetrate fraud 5 Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Segregation of incompatible IT functions  Separating systems development from computer operations [see Figure 2-2] 6 Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Segregation of incompatible IT functions  Separating DBA from other functions  DBA is responsible for several critical tasks:  Database security  Creating database schema and user views  Assigning database access authority to users  Monitoring database usage  Planning for future changes 7 Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Segregation of incompatible IT functions  Alternative 1: segregate systems analysis from programming [see Figure 2-3]  Two types of control problems from this approach:  Inadequate documentation  Is a chronic problem. Why?  Not interesting  Lack of documentation provides job security  Assistance: Use of CASE tools  Potential for fraud  Example: Salami slicing, trap doors 8Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Segregation of incompatible IT functions  Alternative 2: segregate systems development from maintenance [see Figure 2-2]  Two types of improvements from this approach:  Better documentation standards  Necessary for transfer of responsibility  Deters fraud  Possibility of being discovered 9 Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Segregation of incompatible IT functions  Segregate data library from operations  Physical security of off-line data files  Implications of modern systems on use of data library:  Real-time/online vs. batch processing  Volume of tape files is insufficient to justify full-time librarian  Alternative: rotate on ad hoc basis  Custody of on site data backups  Custody of original commercial software and licenses 10 Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Segregation of incompatible IT functions  Audit objectives  Risk assessment  Verify incompatible areas are properly segregated  How would an auditor accomplish this objective?  Verify incompatible areas are properly segregated  Verify formal vs. informal relationships exist between incompatible tasks  Why does it matter? 11 Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Segregation of incompatible IT functions Audit procedures:  Obtain and review security policy  Verify policy is communicated  Review relevant documentation (org. chart, mission statement, key job descriptions)  Review systems documentation and maintenance records (using a sample)  Verify whether maintenance programmers are also original design programmers  Observe segregation policies in practice  Review operations room access log  Review user rights and privileges 12 Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Distributed Data Processing (DDP) involves reorganizing the central IT function into small IT units that are placed under the control of end users  Two alternatives shown in [figure 2-4]  Alternative A: centralized  Alternative B: decentralized / network 13 Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Inefficient use of resources  Mismanagement of resources by end users  Hardware and software incompatibility  Redundant tasks  Destruction of audit trails  Inadequate segregation of duties  Hiring qualified professionals  Increased potential for errors  Programming errors and system failures  Lack of standards 14 Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Cost reduction  End user data entry vs. data control group  Application complexity reduced  Development and maintenance costs reduced  Improved cost control responsibility  IT critical to success then managers must control the technologies  Improved user satisfaction  Increased morale and productivity  Backup flexibility  Excess capacity for DRP 15 Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Need for careful analysis  Implement a corporate IT function  Central systems development  Acquisition, testing, and implementation of commercial software and hardware  User services  Help desk: technical support, FAQs, chat room, etc.  Standard-setting body  Personnel review  IT staff 16 Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Verify that the structure of the IT function is such that individuals in incompatible areas are segregated: ◦ In accordance with the level of potential risk ◦ And in a manner that promotes a working environment  Verify that formal relationships needs to exist between incompatible tasks 17 Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Review the corporate policy on computer security ◦ Verify that the security policy is communicated to employees  Review documentation to determine if individuals or groups are performing incompatible functions  Review systems documentation and maintenance records ◦ Verify that maintenance programmers are not also design programmers 18 Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Physical location  Avoid human-made and natural hazards  Example: Chicago Board of Trade  Construction  Ideally: single-story, underground utilities, windowless, use of filters  If multi-storied building, use top floor (away from traffic flows, and potential flooding in a basement)  Access  Physical: Locked doors, cameras  Manual: Access log of visitors 19 Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 20  Air conditioning  Especially mainframes  Amount of heat even from a group of PCs  Fire suppression  Automatic: usually sprinklers  Gas, such as halon, that will smother fire by removing oxygen can also kill anybody trapped there  Sprinklers and certain chemicals can destroy the computers and equipment  Manual methods  Power supply  Need for clean power, at a acceptable level  Uninterrupted power supply Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  physical security IC protects the computer center from physical exposures  insurance coverage compensates the organization for damage to the computer center  operator documentation addresses routine operations as well as system failures 21 Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  man-made threats and natural hazards  underground utility and communications lines  air conditioning and air filtration systems  access limited to operators and computer center workers; others required to sign in and out  fire suppression systems installed  fault tolerance ◦ redundant disks and other system components ◦ backup power supplies 22 Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Review insurance coverage on hardware, software, and physical facility  Review operator documentation, run manuals, for completeness and accuracy  Verify that operational details of a system’s internal logic are not in the operator’s documentation 23 Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Disaster recovery plans (DRP) identify: ◦ actions before, during, and after the disaster ◦ disaster recovery team ◦ priorities for restoring critical applications  Audit objective – verify that DRP is adequate and feasible for dealing with disasters 24Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e25 Disaster Recovery Plan 1.Critical Applications – Rank critical applications so an orderly and effective restoration of computer systems is possible. 2.Create Disaster Recovery Team – Select team members, write job descriptions, describe recovery process in terms of who does what. 3.Site Backup – a backup site facility including appropriate furniture, housing, computers, and telecommunications. Another valid option is a mutual aid pact where a similar business or branch of same company swap availability when needed. 4.Hardware Backup – Some vendors provide computers with their site – known as a hot site or Recovery Operations Center. Some do not provide hardware – known as a cold site. When not available, make sure plan accommodates compatible hardware (e.g., ability to lease computers). 5.System Software Backup – Some hot sites provide the operating system. If not included in the site plan, make sure copies are available at the backup site. 6.Application Software Backup – Make sure copies of critical applications are available at the backup site 7.Data Backup – One key strategy in backups is to store copies of data backups away from the business campus, preferably several miles away or at the backup site. Another key is to test the restore function of data backups before a crisis. 8.Supplies – A modicum inventory of supplies should be at the backup site or be able to be delivered quickly. 9.Documentation – An adequate set of copies of user and system documentation. 10.TEST! – The most important element of an effective Disaster Recovery Plan is to test it before a crisis occurs, and to test it periodically (e.g., once a year).

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Major IC concerns: ◦ second-site backups ◦ critical applications and databases  including supplies and documentation ◦ back-up and off-site storage procedures ◦ disaster recovery team ◦ testing the DRP regularly 26Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Empty shell - involves two or more user organizations that buy or lease a building and remodel it into a computer site, but without computer equipment  Recovery operations center - a completely equipped site; very costly and typically shared among many companies  Internally provided backup - companies with multiple data processing centers may create internal excess capacity 27Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Evaluate adequacy of second-site backup arrangements  Review list of critical applications for completeness and currency  Verify that procedures are in place for storing off-site copies of applications and data ◦ Check currency back-ups and copies 28Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Verify that documentation, supplies, etc., are stored off-site  Verify that the disaster recovery team knows its responsibilities ◦ Check frequency of testing the DRP 29Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Improved core business processes  Improved IT performance  Reduced IT costs 30Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Failure to perform  Vendor exploitation  Costs exceed benefits  Reduced security  Loss of strategic advantage 31Hall, 3e

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Management retains SOX responsibilities  SAS No. 70 report or audit of vendor will be required 32Hall, 3e

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.